backend: update participant token validation middleware to always check for participant role header to specified a valid role include in the token roles. Refactor related middlewares to use the new participant token structure

2025-07-11 01:44:35 +02:00 · 2025-07-11 01:44:35 +02:00 · fdd897b86b
commit fdd897b86b
parent 22ce0e7d66
6 changed files with 46 additions and 19 deletions
--- a/backend/src/config/@types/express/index.d.ts
+++ b/backend/src/config/@types/express/index.d.ts
@ -1,5 +1,5 @@
 import { ParticipantRole, User } from '@typings-ce';
 import { ClaimGrants } from 'livekit-server-sdk';
 import { User } from '@typings-ce';
 // Override the Express Request type to include a session object with user and token properties
 // This will allow controllers to access the user and token information from the request object in a type-safe manner
@ -8,6 +8,7 @@ declare module 'express' {
 		session?: {
 			user?: User;
 			tokenClaims?: ClaimGrants;
 			participantRole?: ParticipantRole;
 		};
 	}
 }
--- a/backend/src/config/internal-config.ts
+++ b/backend/src/config/internal-config.ts
@ -13,6 +13,7 @@ const INTERNAL_CONFIG = {
 	// Headers for API requests
 	API_KEY_HEADER: 'x-api-key',
 	PARTICIPANT_ROLE_HEADER: 'x-participant-role',
 	// Authentication usernames
 	ANONYMOUS_USER: 'anonymous',
--- a/backend/src/middlewares/auth.middleware.ts
+++ b/backend/src/middlewares/auth.middleware.ts
@ -1,4 +1,4 @@
-import { User, UserRole } from '@typings-ce';
+import { OpenViduMeetPermissions, ParticipantRole, User, UserRole } from '@typings-ce';
 import { NextFunction, Request, RequestHandler, Response } from 'express';
 import rateLimit from 'express-rate-limit';
 import { ClaimGrants } from 'livekit-server-sdk';
@ -8,6 +8,7 @@ import INTERNAL_CONFIG from '../config/internal-config.js';
 import {
 	errorInsufficientPermissions,
 	errorInvalidApiKey,
 	errorInvalidParticipantRole,
 	errorInvalidToken,
 	errorInvalidTokenSubject,
 	errorUnauthorized,
@ -108,9 +109,10 @@ const validateTokenAndSetSession = async (req: Request, cookieName: string) => {
 	}
 	const tokenService = container.get(TokenService);
 	let payload: ClaimGrants;
 	try {
-		const payload = await tokenService.verifyToken(token);
+		payload = await tokenService.verifyToken(token);
 		const user = await getAuthenticatedUserOrAnonymous(req);
 		req.session = req.session || {};
@ -119,6 +121,31 @@ const validateTokenAndSetSession = async (req: Request, cookieName: string) => {
 	} catch (error) {
 		throw errorWithControl(errorInvalidToken(), true);
 	}
 	// If the token is a participant token, set the participant role in the session
 	if (cookieName === INTERNAL_CONFIG.PARTICIPANT_TOKEN_COOKIE_NAME) {
 		const participantRole = req.headers[INTERNAL_CONFIG.PARTICIPANT_ROLE_HEADER];
 		const allRoles = [ParticipantRole.MODERATOR, ParticipantRole.PUBLISHER];
 		// Ensure the participant role is provided and valid
 		// This is required to distinguish roles when multiple are present in the token
 		if (!participantRole || !allRoles.includes(participantRole as ParticipantRole)) {
 			throw errorWithControl(errorInvalidParticipantRole(), true);
 		}
 		// Check that the specified role is present in the token claims
 		const metadata = JSON.parse(payload.metadata || '{}');
 		const roles = metadata.roles || [];
 		const hasRole = roles.some(
 			(r: { role: ParticipantRole; permissions: OpenViduMeetPermissions }) => r.role === participantRole
 		);
 		if (!hasRole) {
 			throw errorWithControl(errorInsufficientPermissions(), true);
 		}
 		req.session.participantRole = participantRole as ParticipantRole;
 	}
 };
 // Configure API key validatior
--- a/backend/src/middlewares/participant.middleware.ts
+++ b/backend/src/middlewares/participant.middleware.ts
@ -56,15 +56,14 @@ export const configureParticipantTokenAuth = async (req: Request, res: Response,
 export const withModeratorPermissions = async (req: Request, res: Response, next: NextFunction) => {
 	const { roomId } = req.params;
 	const payload = req.session?.tokenClaims;
 	const role = req.session?.participantRole;
-	if (!payload) {
+	if (!payload || !role) {
 		const error = errorInsufficientPermissions();
 		return rejectRequestFromMeetError(res, error);
 	}
 	const sameRoom = payload.video?.room === roomId;
 	const metadata = JSON.parse(payload.metadata || '{}');
 	const role = metadata.role as ParticipantRole;
 	if (!sameRoom || role !== ParticipantRole.MODERATOR) {
 		const error = errorInsufficientPermissions();
--- a/backend/src/middlewares/recording.middleware.ts
+++ b/backend/src/middlewares/recording.middleware.ts
@ -1,4 +1,4 @@
-import { MeetRoom, OpenViduMeetPermissions, RecordingPermissions, UserRole } from '@typings-ce';
+import { MeetRoom, OpenViduMeetPermissions, ParticipantRole, RecordingPermissions, UserRole } from '@typings-ce';
 import { NextFunction, Request, Response } from 'express';
 import { container } from '../config/index.js';
 import { RecordingHelper } from '../helpers/index.js';
@ -42,15 +42,18 @@ export const withRecordingEnabled = async (req: Request, res: Response, next: Ne
 export const withCanRecordPermission = async (req: Request, res: Response, next: NextFunction) => {
 	const roomId = extractRoomIdFromRequest(req);
 	const payload = req.session?.tokenClaims;
 	const role = req.session?.participantRole;
-	if (!payload) {
+	if (!payload || !role) {
 		const error = errorInsufficientPermissions();
 		return rejectRequestFromMeetError(res, error);
 	}
 	const sameRoom = payload.video?.room === roomId;
 	const metadata = JSON.parse(payload.metadata || '{}');
-	const permissions = metadata.permissions as OpenViduMeetPermissions | undefined;
+	const permissions = metadata.roles?.find(
 		(r: { role: ParticipantRole; permissions: OpenViduMeetPermissions }) => r.role === role
 	)?.permissions as OpenViduMeetPermissions | undefined;
 	const canRecord = permissions?.canRecord;
 	if (!sameRoom || !canRecord) {
--- a/backend/src/middlewares/room.middleware.ts
+++ b/backend/src/middlewares/room.middleware.ts
@ -21,6 +21,7 @@ import { allowAnonymous, tokenAndRoleValidator, withAuth } from './auth.middlewa
 export const configureRoomAuthorization = async (req: Request, res: Response, next: NextFunction) => {
 	const roomId = req.params.roomId as string;
 	const payload = req.session?.tokenClaims;
 	const role = req.session?.participantRole;
 	// If there is no token, the user is admin or it is invoked using the API key
 	// In this case, the user is allowed to access the resource
@ -29,16 +30,10 @@ export const configureRoomAuthorization = async (req: Request, res: Response, ne
 	}
 	const sameRoom = payload.video?.room === roomId;
 	const metadata = JSON.parse(payload.metadata || '{}');
 	const role = metadata.role as ParticipantRole;
-	if (!sameRoom) {
+	// If the user does not belong to the requested room,
-		const error = errorInsufficientPermissions();
+	// or the user is not a moderator, access is denied
-		return rejectRequestFromMeetError(res, error);
+	if (!sameRoom || role !== ParticipantRole.MODERATOR) {
 	}
 	// If the user is not a moderator, it is not allowed to access the resource
 	if (role !== ParticipantRole.MODERATOR) {
 		const error = errorInsufficientPermissions();
 		return rejectRequestFromMeetError(res, error);
 	}
@ -96,7 +91,8 @@ export const configureRecordingTokenAuth = async (req: Request, res: Response, n
 	if (authModeToAccessRoom === AuthMode.NONE) {
 		authValidators.push(allowAnonymous);
 	} else {
-		const isModeratorsOnlyMode = authModeToAccessRoom === AuthMode.MODERATORS_ONLY && role === ParticipantRole.MODERATOR;
+		const isModeratorsOnlyMode =
 			authModeToAccessRoom === AuthMode.MODERATORS_ONLY && role === ParticipantRole.MODERATOR;
 		const isAllUsersMode = authModeToAccessRoom === AuthMode.ALL_USERS;
 		if (isModeratorsOnlyMode || isAllUsersMode) {